- MG
Rover
Inernet Service and Web Farm
- dmz1
To serve the 'back office' applications
Two E-mail relays
Two Microsoft ISA 'Reverse Proxies' for access to web based business
applications
E-Mail service for UK Dealerships, based on MDaemon
Two Microsoft ISA 'Forward Browsing' Proxies built as an ISA cluster
Security
Firewall configured for essential ports only
Test servers for initial security patch testing
Two servers for each function so one can be upgraded and tested
- Internet
Two 10Mb/s connections provided by 2 separate ISPs
- BGP
Border Group Protocol
In order to provide a resilient service, MG Rover obtained its own AS
number, and hence own class C IP addresses
- Corporate
Public Web Sites.
Three SUN servers, with only one holding all the live sites, one
holding
data for the 'build your own vehicle' section, the third as backup to
live.
- Site to Site VPNs
A pair of Cisco 2600s to terminate the VPNs used to connect all the MG
Rover European Sales Offices. Each office had two ADSL lines, from two
separate ISPs, which were routed in an OSPF domain. OSPF would re-route
the connections should one of the ISP connections fail.
-
Client VPN SOHO service
Two Nortel 2600 Contivity VPN terminators. These run in parallel, with
the client redirecting to the working service should one machine be
unavailable. This service was used by our Area Business managers in the
UK and Europe. Also available via any Internet service.
- Site o Site VPNs for the
'users'
A site to site VPN terminates on Cisco 1700 routers. This brought
clients from partner sites (China) into a the SOHO firewall service
without requiring a client VPN.
- Dial up SOHO service
Provides a traditional modem dial up service to the SOHO firewall. The
Longbridge site Meridian PBX was equipped with a suitable Cisco 30 ISDN
to Ethernet router that allowed a specific number to be dialled to gain
access.
- Distributed 'on-site'
Internet
This was to provide a 'firewalled' Internet service for partner
companies who had personnel on our site. They can set up client vpns
back to their own companies. A wireless service with user
authentication was planned.
- Dealer
Application Network
This houses the Web accessible applications our Global Dealers required
to access the 'older' applications.
- The
Warranty Application
This is an AS400 IBM server running the 'basic' Warranty application.
All vehicle warranty claims would be submitted, by the repairer, via
this system. A windows server running the 'Seagull' web software
allowed the application screens (traditional IBM green screens) to be
visible via a web browser; so it looked much more modern. As the
infrastructure was not within our normal portfolio, all the support
came from the Application provider, IDS. This network would prevent and
access from these machines into the other networks. Only a small number
of FTP feeds were required.
-
The Protected Web Server Network
Many web servers require SQL access to oracle databases. This opens
many ports which would worry any security officer. While Oracle are
coming up with a more restricted approach, and without encryption (try
fault finding with encrypted conversations), these servers were placed
in small groups of IP Address ranges which would limit the number of
servers compromised by an attack.
- The
main Internal Company Network
Contains the business application databases, Desktop PCs and
Workstations and printers. Other diagram’s hold details of this
much more extensive network.
- Web
Server Build Server
All the window server images were held here for rapid rebuilding via
Altaris.
- External Windows Domain
This separate windows and DNS domain was set up to provide a layer of
protection between those servers connected to the Internet and those
internal. The 'lbex.net' domain had a one way trust with the internal
domain. This enabled users to authenticate against the internal ADS,
but have no credentials in this outer domain. The DNS was set up to
'know' only those machines and services that were essential, any
corruption to this domain would not affect the internal service
-
Corporate
Firewalls.
A pair of Nokia 530s running Checkpoint NG in active passive mode.
Installed to provide gigabit interfaces for the new ERP servers and
provide the core machine to machine security within the company and
with our partners. They provided all the core routing between networks.
They were the 'default' route for everything. In 2005 several of the
networks were having their routes more heavily 'guarded' and
'blackhole' routing was set up. This makes it very difficult for the
other routes to be found.
- 'SOHO' Firewall
Two Nokia 350s running Checkpoint NG in active passive mode. These
separate the user rule set from the machine rule sets in the Netscreen
and Nokia 530s. They authenticate the user against radius servers from
Active Card and RSA
- Internet Firewall
Two Netscreen 208s in active passive mode. This really did work, with
swap over times under 3 seconds. No special 'Netscreen features' were
invoked (no deep packet inspection). They provide a very good port and
session based firewall giving all the basic level 3 /4 protection.
- Version Controll
The last few changes are visible. All others are available on the
actual Visio drawing